A listing appeared on a Russian-language forum at 2:14 AM. Domain administrator credentials to a US manufacturer with $1.9 billion in annual revenue. Asking price: $2,800. It sold within 36 hours. The buyer's purpose, as determined through subsequent monitoring, was ransomware deployment. Time from listing to the victim appearing on a ransomware data-leak site: 23 days. No alarm was raised during the listing period. The manufacturer's security team first learned of the compromise when the extortion demand arrived.
This is the ordinary rhythm of what analysts call the Initial Access Broker market — a segment of underground commerce in which specialised operators gain unauthorised access to corporate networks and then sell that access, fully formed and ready to use, to ransomware crews and other threat actors. The broker does not conduct the attack. The broker sells the door. The buyer provides the crew.
The IAB market sits within a broader underground economy that has demonstrated remarkable structural resilience across years of law enforcement action. When German and US authorities seized Hydra Market in April 2022 — the dominant darknet marketplace, which had processed $5.2 billion in transactions since 2015 and accounted for 80% of all cryptocurrency transactions on the darknet at its peak — its daily revenue collapsed from $4.2 million to $447,000 almost immediately. Two years later, successor markets collectively processed more revenue in 2024 than Hydra ever managed alone. Bitcoin inflows to darknet markets recovered to $2 billion by 2024. The ecosystem did not recover. It expanded.
Understanding the mechanics of that expansion requires looking at who buys what, how it is priced, and where the transactions now occur — because the market has moved, in part, off the darknet entirely.
The Price of a Network
IAB listings vary by access type, organisational size, and the buyer's assessed ability to monetise. The majority of corporate access listings in 2024 priced between $500 and $2,000. The average listing price across the year was approximately $1,295 — a fall of roughly 60% from $3,066 in 2023, reflecting a market in oversupply. More brokers are active, more access is available, and buyer leverage has increased accordingly.
The aggregate scale of what is for sale is significant. Across observed public forums in 2024, minimum listed prices for tracked IAB listings totalled at least $6.3 million — and the companies whose networks were listed had combined revenues exceeding $3 trillion. The price of the listing bears no relationship to the value of the organisation. A listing for a $500 million healthcare provider might be priced at $1,500. The broker is selling time and convenience, not market-rate access.
Geography shapes the market in measurable ways. US organisations accounted for 34.12% of all 2024 IAB listings — by a wide margin the largest single category. Brazil followed at 4.65%, the UK at 4.13%, Canada at 3.38%. The US concentration reflects both the density of high-value corporate targets and the preference of ransomware operators who can charge higher ransoms in dollar-denominated organisations.
Access type has shifted. VPN access surged to the most commonly listed vector in Q3 2024, accounting for 31.9% of listings, surpassing RDP at 23.1%. The shift reflects a broader migration by organisations toward remote-access infrastructure post-pandemic — and the corresponding opportunity for threat actors to exploit misconfigured or credential-compromised VPN endpoints at scale.
How Credentials Flow to Brokers
The supply side of the IAB market runs on infostealer malware — lightweight programmes that harvest stored credentials, browser sessions, cookies, and authentication tokens from infected endpoints and exfiltrate them automatically to operator-controlled collection infrastructure. The Snowflake breach campaign of April–June 2024, which compromised approximately 165 customer environments, demonstrates the downstream consequences of infostealer activity at scale. The threat actor UNC5537 did not compromise Snowflake's own infrastructure. They used credentials harvested by infostealer malware — some dating as far back as 2020 — to log directly into unprotected customer instances. Approximately 80% of the compromised accounts were accessed using credentials stolen by infostealers. No MFA was enforced.
Kaspersky incident response data from 2024 indicates that valid accounts represented 31.4% of initial attack vectors across investigated incidents — the direct enabling role of the IAB and infostealer ecosystem. Credentials are not a supplementary threat vector. For a significant proportion of intrusions, they are the only vector used.
The most prolific individual poster on BreachForums in H2 2024 was an actor known as IntelBroker, who accounted for 19.05% of all sales tracked by Rapid7 across that period. IntelBroker's listings included access to major technology companies, government contractors, and financial institutions. The concentration of volume in a single actor illustrates both the operational efficiency of professional brokers and the platform dependency that law enforcement has sought to disrupt.
The darknet market did not survive law enforcement. It evolved past it — dispersing to Telegram, to invite-only forums, to markets that list no addresses and require no search.
The Telegram Migration
The most significant structural shift in the underground economy over the past two years has been the partial migration of credential trading to Telegram. Stealer logs and freshly harvested credentials now appear on Telegram channels within hours of theft — sometimes before the victim organisation is aware of the infection. Some vendors have bypassed traditional darknet markets entirely, operating through closed Telegram groups with vetted membership, escrow through trusted intermediaries, and no public-facing infrastructure for authorities to locate or seize.
This shift complicates the law enforcement calculus that produced the Hydra takedown. A darknet market has a server. A Telegram channel does not require one. BreachForums, seized by the FBI in May 2024, was relaunched by its administrators within two weeks — demonstrating the speed with which invite-based forum infrastructure can reconstitute itself after seizure. The operational continuity of these platforms is not an accident. It is designed.
Genesis Market, taken down in April 2023 in Operation Cookie Monster, had specialised in selling what practitioners called digital fingerprints: logins, cookies, IP data, and browser configuration sufficient to impersonate a user without triggering standard fraud detection systems. A dark web version remained active after the seizure. Its successor, Exodus Marketplace, launched in early 2024 and was reported to control approximately 7,000 infected endpoints across 190 countries. The infrastructure was rebuilt faster than the criminal proceedings from the original takedown could conclude.
Who Actually Buys
The most consequential buyers in the IAB market are ransomware affiliates — operators who require reliable, pre-validated corporate access as the starting point for their intrusions. The broker handles reconnaissance, initial exploitation, and access validation; the affiliate handles lateral movement, data exfiltration, and deployment of the encryption payload. The division of labour reduces skill requirements at both ends and compresses the timeline from purchase to attack.
Cl0p's MOVEit campaign operated differently — the group exploited a zero-day SQL injection vulnerability directly, bypassing the broker layer — but the subsequent data from the IAB market suggests that the standard broker-to-affiliate pipeline is the dominant operational model for mid-tier ransomware groups. The brokers who maintained consistent listings across all four quarters of 2024 despite the market's high general turnover represent the stabilising infrastructure of that pipeline.
Field note — Monitoring darknet and Telegram-based IAB markets for listings referencing your organisation or sector requires continuous, automated presence across platforms that change domains, usernames, and communication channels frequently. Inteliora's underground monitoring capability tracks IAB listings in near-real-time and provides direct notification to clients when access to their environments, or to third-party systems with privileged access to their environments, appears for sale. For organisations without continuous monitoring, the practical minimum is enforcing MFA universally across VPN and remote-access infrastructure, rotating service account credentials quarterly, and treating any credential appearing in infostealer log dumps as fully compromised regardless of apparent account sensitivity.
The darknet economy's recovery from Hydra was not a return to a previous state. It was a reorganisation into something harder to locate, faster to reconstitute, and more specialised in its outputs. The market that exists in 2026 sells access with the efficiency of a logistics operation and the resilience of distributed infrastructure. The organisations most exposed are those whose security posture was calibrated for the threats of 2019 — perimeter-focused, signature-dependent, and unaware that their domain administrator's credentials have been for sale since February.
Sources & further reading
- CYJAX — IAB Market 2024 In Review: https://www.cyjax.com/resources/white-paper/white-paper-initial-access-broker-market-2024-in-review
- CYJAX — IAB Q3 2024: https://www.cyjax.com/wp-content/uploads/2024/11/IAB-report-Q3.pdf
- Chainalysis — Darknet Markets 2025 Update: https://www.chainalysis.com/blog/darknet-markets-2025/
- Chainalysis — How Darknet Markets Fought Post-Hydra: https://www.chainalysis.com/blog/how-darknet-markets-fought-for-users-in-wake-of-hydra-collapse-2022/
- Cyberint/Check Point — IAB Deep Dive 2024: https://cyberint.checkpoint.com/blog/research/a-deep-dive-into-initial-access-brokers-trends-statistics-tactics-and-more/
- Rapid7 — IAB Analysis H2 2024 (via Infosecurity Magazine): https://www.infosecurity-magazine.com/news/cybercriminals-low-cost-initial/
- Europol IOCTA 2024: https://www.europol.europa.eu/publication-events/main-reports/internet-organised-crime-threat-assessment-iocta-2024
- Breachsense — Dark Web Markets 2026: https://www.breachsense.com/blog/dark-web-markets/